10 ways to make your passwords secure
28th May 2013 | 07:00
Minimise the threat from hackers
Weak passwords are a huge security risk to a business, as the only thing there to prevent hackers accessing many online services. To minimise the chances of hackers accessing your online accounts it's vital to choose a strong password - particularly if the accounts contain confidential information.
As a rule of thumb, a weak password is short and uses eight or fewer lower case letters. A strong password is at least eleven characters long, and contains upper and lower case letters, numbers, and special characters like * or &.
To get an idea of the difference in security, let's assume a hacker gang with a fast computer can make 100 billion attempts per second to guess your password. Here's how long it might take:
- A short password made up of six random lower case letters - a fraction of a second
- A long password made up of 11 random lower case letters - 11 hours
- A long password made up of 11 random lower and upper case letters - two and a half years
- A long password made up of 11 random lower and upper case letters, numbers and special characters - 500 years
Bearing that in mind, here are 10 tips for choosing and using secure passwords.
1. Don't use personal information as a password. Many people use the name of a pet or child, but if a hacker knows you - or can find out this information from a source like Facebook - it will likely be their first guess.
2. Don't use common passwords - security company Sophos provides a list of 50 popular ones that hackers are bound to try. The most common ones include "123456", "password", and "qwerty".
3. Don't use any single word or pair of words that appear in the dictionary. That's because hackers can use software that can test every word in a dictionary in very short amount of time . And don't be fooled that common substitutions, such as a "5" for an "s" (e.g. pa55word), make a difference - hackers and their software are wise to this.
4. Do use a long password. 11 or 12 characters is probably sufficient, although the SANS Institute, a security research organisation, recommends at least 15.
5. Use a password drawn from a pool of as many characters as possible to protect the most sensitive accounts. That means using at least one upper case letter, lower case letter, digit and special character (although not all websites allow special characters.)
6. One way to create a long password that's easy to remember is to use a whole phrase as a password - something like "WhoDaresWins". Another is to use the first letters of the words in a longer phrase - perhaps capitalising every other letter. For example "God save our gracious queen long live our noble queen" would produce " GsOgQlLoNq ".
7. The longer and more complex your passwords, all else being equal, the better. So you can make them more secure by choosing a simple sequence of three or four characters, like "B52" or "M&S" and adding them to the end of all your passwords, e.g. WhoDaresWinsB52 and GsOgQlLoNqB52.
8. Changing passwords regularly can make them difficult to remember but it's sensible to change them occasionally. An easy way to do this is to add the year to the beginning or end of your passwords - e.g. WhoDaresWinsB522013 and GsOgQlLoNqB522013 - and update them annually. This has the advantage of adding length and complexity, and it's also easy to remember how old the password is.
9. If you have too many passwords to remember them all easily, consider using a password manager program such as LastPass or RoboForm. These encrypt and store your passwords securely, and enter them automatically when you supply one master password - which you still have to remember.
10. To get an idea of how much security a given password provides, check it at Gibson Research's tester. But remember, if your computer is infected with a keylogger then a hacker could still get hold of any password you type in, no matter how secure. For that reason it is important to use different passwords for different sites.
To understand why these tips are effective, it's worth looking at how hackers actually break in to online accounts.
The first way is simply by going online and attempting to log in to your account by guessing your password. This is actually quite hard, because most sites will lock your account if the wrong password is entered more than a handful of times.
It's also quite slow: even when using hacking software that enters different user names and passwords automatically it's unlikely that a hacker can try more than 100 passwords every second.
The second way is for a hacker to break in to a web service's computer systems and download a copy of the password file. If it actually contains a list of usernames and corresponding passwords it's effectively "game over" - no matter what password you had chosen, the hacker would have it.
Fortunately most (but not all) website administrators are smarter than that. Instead of storing the passwords themselves, they transform each one by passing it through a mathematical feature called a hashing function. What comes out is an apparently random sequence of characters, called a password hash, and it's these that are stored.
A hashing function is a one-way function, which means that once a password has been transformed into a hash, there is no going the other way: turning the hash back into the original password is impossible. When you enter your password it is turned into a hash that is compared with the one stored in the password file. If they are the same then you must have entered the right password, and your logon will be successful.
So if a hacker manages to steal the password file, all they generally get are a list of usernames and password hashes, but they have no easy way of turning those hashes into usable passwords.
That means they have to guess a possible username's corresponding password, turn that into a hash, and then see if it matches the one stored in the password file. This is known as an offline attack, and using software such as John the Ripper it's possible to make guesses very quickly indeed.
The first passwords that hackers are likely to try are commonly used, such as "password", "123456" and "qwerty". They will then likely launch a dictionary attack - trying every word in the dictionary, and even pairs of words.
Finally they'll try a "brute force" attack, using every combination of one, two, three and so on lower case letters, or lower and upper case letters or even lower and upper case letters and numbers and special characters like @ or & or '. The deeper into this they go the longer the process takes, hopefully to the point that it is a deterrent in itself.